Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Hack Exploits Common Programming Error

Posted by ScuttleMonkey on from the gibson-unavailable-for-comment dept.

buzzardsbay writes "TechTarget's security editor, Dennis Fisher is reporting that researchers at Watchfire Inc. have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability. According to the article, the researchers stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company's AppScan software against a Web server. The good folks at Watchfire will detail the technique in a presentation at the Black Hat Briefings in Las Vegas in August, Fisher writes."

8 of 255 comments (clear)

  1. Re:That's nice and everything but.... by Wavicle · · Score: 5, Insightful

    Presumably what they have here is a dangling pointer to a function, which they can get IIS to then call. They state that this used to be a "denial of service" attack - meaning that if IIS attempted the call before, it would execute garbage and cause a runtime fault. Now, however, they can change the value of the dangling pointer and when IIS does the jump this time, it executes their exploit code instead.

    --
    Education is a better safeguard of liberty than a standing army.
    Edward Everett (1794 - 1865)
  2. Why are we still dealing with this? by 19thNervousBreakdown · · Score: 4, Insightful

    And this isn't a "use Python" or "use Java" rant, either. I will say, however, UNIT TEST YOUR SHIT! EVERY LINE! Even the little inline function, you need to test it all! Repeat after me: Resource Acquisition Is Initialization. Resource Release Is Destruction. -Wall -Werror, no, warnings aren't OK. No, not even signed vs unsigned comparison warnings, you need to either get your data types straight or wrap that in a partial-specialization template functor that correctly checks that you won't be killed by sign-promotion when you compare int and unsigned long long. strncpy(), not strcpy()! -fprofile-arcs -ftest-coverage! Valgrind!

    I dunno. I manage to write C++ and never overflow a buffer, always release all resources when I'm done with them, and never throw away an error. Why can't the other 95% of the programmers out there do the same thing?

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    1. Re:Why are we still dealing with this? by PetriBORG · · Score: 5, Insightful

      I dunno. I manage to write C++ and never overflow a buffer, always release all resources when I'm done with them, and never throw away an error. Why can't the other 95% of the programmers out there do the same thing?

      They are busy being yelled at by their boss to "just make it work" and to "not worry about getting it perfect" and they are dealing the idiot "build master" over in change-management who doesn't know what "make clean" is or how to read a make file, but thinks that he's some master csh hacker... Everyone wants that just not everyone works in a perfect world.

      Shit, most of us are just happy when we are able to beat clear requirements out of people and get reasonable bug reports.

      --
      Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
    2. Re:Why are we still dealing with this? by BitchKapoor · · Score: 4, Insightful

      I dunno. I manage to write C++ and never overflow a buffer, always release all resources when I'm done with them, and never throw away an error. Why can't the other 95% of the programmers out there do the same thing?

      Because they don't care or they're too busy with other stuff, and even if that's not the case, sometimes people make mistakes. That's why you write tools to check that programs are actually being written correctly (wherever possible) and to make it as easy as possible to create full coverage tests, rather than relying on other programmers to do the right thing. Automation, it's a great thing.

  3. Re:Known since 2005 by nagora · · Score: 4, Insightful
    How can a bug like this get through the QA process since 2005 and multiple product versions without getting fixed?

    Because people keep buying their buggy shit. If people buy your products regardless of the quality, what incentive do you have to fix anything?

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
  4. Re:More push toward VM's by 19thNervousBreakdown · · Score: 5, Insightful

    Garbage collected languages is no solution to poor programming. If you can't remember to not call a function pointer that you just freed, you'll probably forget to close /etc/passwd before dropping privs, or something equally stupid.

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  5. Re:That's nice and everything but.... by mark-t · · Score: 4, Insightful

    But wouldn't said exploit code need to reside in a part of memory that the operating system had previously allocated for executable instructions? I mean I can understand how you could potentially make code that was already part of the program execute without the intention of the programmer, but how do you make code that isn't part of the executable in the first place execute? I mean sure you can put the opcodes for particular instructions into data space, but if you try to branch there, why would the OS even allow that unless the area the program uses for data is also marked as an area where executable instructions can be?

    --
    File under 'M' for 'Manic ranting'
  6. "Security experts" that aren't by Schraegstrichpunkt · · Score: 4, Insightful

    From the article:

    Dangling pointers are quite common, but security experts and developers have said for years that there is no practical way to exploit them, so they've been considered quality-assurance problems and not security flaws.

    Any security expert with at least half a brain is going to assume that a remotely-triggered crash might be exploitable, unless he can actually prove otherwise.

    That said, I've known plenty "security experts" who weren't.

    --
    http://outcampaign.org/